Manage Keys of Encrypted Shared Folders

You can use Key Manager to manage keys of shared folders and decrypt multiple encrypted shared folders at the same time.

Term explanation:

  • Key store: A key store is any external device or system partition supported by Synology NAS and is used as a physical key to decrypt shared folders.
  • Cypher: A cypher is a method of encrypting keys of shared folders. Key Manager provides two types of cyphers:
    • Passphrase: Keys encrypted by a passphrase can be decrypted by whoever knows the passphrase.
    • Machine key: Keys encrypted by a machine key can only be decrypted by the binded Synology NAS.

To initialize a key store:

  1. Go to Control Panel > Shared Folder > Action > Key Manager.
  2. Select an external device or system partition as the key store from Key Store Location.
  3. Enter a passphrase into the Passphrase field for this key store.

Security Suggestions:

  • For safety and management purpose, it is safer to store the encrypted file and the corresponding key in different devices.
  • We recommend that you select an external device as Key Store Location to enhance your data security.

To add a new key to a key store:

  1. Make sure you that you have initialized a key store.
  2. Go to Control Panel > Shared Folder > Action > Key Manager.
  3. Click Add.
  4. Select an encrypted shared folder.
  5. Select the cypher for the encryption key. You can select either Passphrase or Machine key.
  6. Enter or import the encryption key.
  7. Click OK to save the settings.

To decrypt multiple encrypted shared folders manually:

  1. Make sure that you have added keys to the key store.
  2. Go to Control Panel > Shared Folder > Action > Key Manager.
  3. Select the encrypted shared folders you want to decrypt.
  4. Click Mount.

To decrypt multiple encrypted shared folders on boot automatically:

  1. Make sure that you have added keys to the key store.
  2. Go to Control Panel > Shared Folder > Action > Key Manager.
  3. Tick Mount on Boot for the encrypted shared folders you want to decrypt on boot.
  4. Click OK to save the settings.

To eject a key store after boot:

  1. Go to Control Panel > Shared Folder > Action > Key Manager.
  2. Click Configure.
  3. Tick Eject device after boot.
  4. Click OK to save the settings.

To migrate existing encryption keys to a key store for shared folders mounted automatically:

Migrate keys during key store initialization:

  1. When initializing a key store, tick Migrate encryption keys to this key store for all existing shared folders mounted automatically (recommended).

Migrate keys manually:

  1. Go to Control Panel > Shared Folder > Action > Key Manager.
  2. Click Configure.
  3. Click Migrate now.
  4. In case of duplicate keys, you can choose Overwrite duplicate keys.
  5. Click OK to save the settings.

To clone a key store in High Availability mode:

  1. Go to Control Panel > Shared Folder > Action > Key Manager.
  2. Click Clone.
  3. Select a source key store on the active Server from Source Key Store.
  4. Select a destination key store on the passive Server from Destination Key Store.
  5. Click Apply to save the settings.